Drawing lessons from Chinese attacks on US media

Not every media company is as tempting a target for
hackers as The New York Times, The Washington Post, or The Wall Street Journal. Not every
company can afford high-priced computer security consultants, either. Is there
anything that everyday reporters and their editors can learn about protecting
themselves, based on the revelatory details the Times and other targets made public last week?

As we wrote at the time, the
cyber-attacks on the Times, the Post, and the Journal came as no
surprise to foreign reporters working in China or elsewhere who
repeatedly face fake emails, custom malware, and hacking attacks on their
webmail. But the level of access that the hackers obtained at the Times' main offices, and the publication
of details by their technical advisers, can be instructive.

The Timesrevealed that it had
been persistently attacked by hackers for four months. The attackers
specifically aimed for access to emails and contacts kept by reporters covering
the financial affairs of China's premier, Wen Jiabao, and his relatives. There
was no smoking gun indicating that this was the work of state-sponsored
hackers, but the Times' security
experts, Mandiant, said the target, the techniques, and the timing of the
attacks strongly suggest it was planned by Chinese hackers working under the
guidance of the Chinese military.

The Post
was later reported to be using the same company to fight off an attack that
began in 2011. The Journal said the
FBI had warned them of a breach in their security in mid-2012. On Tuesday,
Rupert Murdoch, chairman of the paper'sowner,
News Corp., tweeted that "[the] Chinese [are] still hacking us, or were over
[the] weekend."

The first lesson: Even if your employer has a
dedicated computer security detail (most do not), you should still make the
security of your own computer a personal matter. Hackers target the weakest
leak in order to enter a system, and do not differentiate between personal or
professional systems. The New York Times
indicated in its report that the first breach was a personal "spear-phishing"
mail sent to a Times employee on his
or her own computer. The most convincing of these attacks use personal details
gleaned from public sources or private intelligence. Be careful what email
attachments you open. Don't use the same password on different services, even
if one is professional and the other private. With the cracking of passwords
used by Times employees on an
internal system, other accounts used by those employees elsewhere became
vulnerable, the Times implied. Follow
our advice and others on developing
your own computer security regime.

Second, you should understand that hackers can gain
access to a great deal of incidental material, even when their attacks fail at
their goals. It is reassuring that even when the Times hackers were attempting to target investigators in China,
they were unable to penetrate the additional security those reporters used.
But, this same group now presumably has a large amount of other
information--including names, passwords, and personal information on other
reporters. Such information can be used in future attacks, or may be traded to
other groups with other targets. Twitter lost control of the
(obfuscated) database holding the passwords and email addresses of its earliest
users this week. That information could be used as tradable knowledge for more
targeted attacks on reporters who re-used their Twitter passwords on other
services.

For now, these professional, advanced, and
persistent attacks are being conducted in cases of well-financed industrial
espionage or sophisticated state-level spying. But given the impunity with
which these hackers operate, it's only a matter of time before the data they
collect and the tactics they use will trickle down to common crooks or petty
dictators.

Which brings us to a third point. Both China and the
United States are now suspected of using malware and the illegal entry of
computer systems as tactics in their foreign policy. China spies on American
news media; the U.S. is assumed to have been behind StuxNet, a customized piece
of malware targeting the Iranian nuclear program.

There are no clearly defined international norms
that govern these practices. As China's Ministry of Defense toldThe New York Times, "Chinese laws
prohibit any action including hacking that damages Internet security," and
similar laws apply in Iran and the U.S. But if nations believe that they can
conduct these operations abroad against any target without consequence, in an
environment where all countries see hacking as legitimate statecraft, then
journalists will inevitably be among the many unprotected groups that will
suffer for it.

In the end, the only weapon journalists have to
defend themselves against such attacks is vigilance, and their most well-worn
weapon: transparency. The New York Times, Washington Post, and The Wall Street Journal all took an
important step when they began publicizing the attacks they have faced. They
can continue to help smaller media companies and individual reporters by publishing
more details, and pressuring governments to outlaw cyber-attacks as a tool of
international affairs.

San Francisco-based CPJ Internet Advocacy Coordinator Danny O’Brien has worked globally as a journalist and activist covering technology and digital rights. Follow him on Twitter @danny_at_cpj.

Deciding who decides which news is fake

March 14, 2017 6:09 PM ET

Authorities decry the proliferation of misinformation and propaganda on the internet, and technology companies are wrestling with various measures to combat fake news. But addressing the problem without infringing on the right to free expression and the free flow of information is extremely thorny....

Can selective blocking pre-empt wider censorship?

February 3, 2012 5:14 PM ET

Last week, Twitter provoked a fierce debate online when it announced a new capability--and related policy--to hide tweets on a country-specific basis. By building this feature into its website's basic code, Twitter said it hoped to offer a more tailored response to legal demands to remove tweets globally. The...